Set up IPv6 for instance?

[sirkus 7]

Hi everyone. I'm trying to set up a simple VM in Google Cloud Platform that can ping ipv6.google.com successfully. I'm using  GCP docs regarding IPv6 support, including :

• https://cloud.google.com/vpc/docs/vpc#ipv6-addresses
• https://cloud.google.com/vpc/docs/using-vpc#subnet-enable-ipv6
• https://cloud.google.com/compute/docs/ip-addresses/configure-ipv6-address

Here's what I've done so far:

1. In my project, I created a VPC subnet called "proj-net" in region "us-west2", and enabled IPv6 for it using the gcloud command:

gcloud compute networks subnets update proj-net \

--stack-type=IPV4_IPV6 \

--ipv6-access-type=EXTERNAL \

--region=us-west2

2. I created a Debian 10 VM instance called "test-srv-1" then enabled IPv6 with:

gcloud compute instances network-interfaces update test-srv-1 \

--ipv6-network-tier=PREMIUM \

--stack-type=IPV4_IPV6 \

--zone=us-west2-a

According to the documentation, the GCP is to provide a /64 and the NIC should be assigned the first address from that range. And, a default route and firewall rule should be set up to allow outgoing traffic (should allow the ping.) 

But, from the test-srv-1 VM, when I try to ping Google with IPv6, I get a No Route error:

$ ping6 ipv6.google.com

PING ipv6.google.com(lax31s01-in-x0e.1e100.net (2607:f8b0:4007:80e::200e)) 56 data bytes

From fe80::4001:ff:fe00:0%ens4 (fe80::4001:ff:fe00:0%ens4): icmp_seq=1 Destination unreachable: No route

I'm still learning IPv6 admin concepts as well as learning how GCP deals with addressing/routing for instances. It's challenging to know what GCP is to provide, and what I need to set up on the VM host, so I'm looking for any advice on next steps.

For more information, here is what I can see on the VM:

The IPv6 information for the VM's interface look like this:

2: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 state UP qlen 1000

inet6 2600:1900:xxxx:xxxx:0:1::/128 scope global

valid_lft forever preferred_lft forever

inet6 fe80::4001:aff:fe04:2d2/64 scope link

valid_lft forever preferred_lft forever

And the routes:

$ netstat -rn6

Kernel IPv6 routing table

Destination Next Hop Flag Met Ref Use If

::1/128 :: U 256 2 0 lo

2600:1900:xxxx:xxxx:0:1::/128 :: U 256 1 0 ens4

fe80::/64 :: U 256 2 0 ens4

::/0 fe80::4001:aff:fe04:201 UGDAe 1024 3 0 ens4

::1/128 :: Un 0 5 0 lo

2600:1900:xxxx:xxxx:0:1::/128 :: Un 0 3 0 ens4

fe80::4001:aff:fe04:2d2/128 :: Un 0 4 0 ens4

ff00::/8 :: U 256 4 0 ens4

::/0 :: !n -1 1 0 lo

Can anyone give me any advice on how to take next steps?

[sirkus 7]

In case it helps anyone track with what I'm doing, I'll provide the exact commands I'm using.

Here's my simple and repeatable proof of concept:

1. Within a project, create a VPC network

$ gcloud config set project my-test-project

$ gcloud compute networks create targetnet \

--subnet-mode=custom --mtu=1460 --bgp-routing-mode=regional

2. Create subnet with IPv6 support

$ gcloud compute networks subnets create targetnet-1 \

--network=targetnet --range=10.9.9.0/24 \

--stack-type=IPV4_IPV6 --ipv6-access-type=EXTERNAL \

--region=us-west2

3. Create an instance with IPv6 support

$ gcloud compute instances create test-1 \

--stack-type=IPV4_IPV6 --ipv6-network-tier=PREMIUM \

--subnet=targetnet-1 --zone=us-west2-a \

--image-family=debian-10 --image-project=debian-cloud \

--machine-type=e2-micro

4. Add a firewall rule to give SSH access to the instance

$ gcloud compute firewall-rules create target-ssh-home \

--network targetnet --allow tcp:22 --source-ranges <my IPv4 addr>

5. SSH to the instance, look at the network addresses & route:

$ ip -6 addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000

inet6 ::1/128 scope host

valid_lft forever preferred_lft forever

2: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 state UP qlen 1000

inet6 2600:1900:xxxx:xxxx:0:1::/128 scope global

valid_lft forever preferred_lft forever

inet6 fe80::4001:aff:fe04:2d2/64 scope link

valid_lft forever preferred_lft forever

$ ip -6 route

::1 dev lo proto kernel metric 256 pref medium

2600:1900:xxxx:xxxx:0:1:: dev ens4 proto kernel metric 256 pref medium

fe80::/64 dev ens4 proto kernel metric 256 pref medium

default via fe80::4001:aff:fe04:201 dev ens4 proto ra metric 1024 expires 85sec pref medium

6. Attempt to ping an external IPv6 resource:

$ ping6 ipv6.google.com

PING ipv6.google.com(lax31s01-in-x0e.1e100.net (2607:f8b0:4007:80e::200e)) 56 data bytes

From fe80::4001:ff:fe00:0%ens4 (fe80::4001:ff:fe00:0%ens4): icmp_seq=1 Destination unreachable: No route

Again, the docs indicate the firewall defaults should allow outgoing ICMP. Still, I've also tried adding firewall rules to allow ICMP (and every) service in various forms to see if that helped. This did not change the result. Also, I confirmed that GCP added a default IPv6 route for the network. (::/0).

According to the documentation, the GCP is to provide a /64 and the NIC should be assigned the first address from that range. I don't see that here. Is there something I need to do on the host to get that? Or is there something I've missed that is needed in GCP?